Symptoms

The groups and roles are not being assigned to the user after their first login via SSO, even though the "Assign groups by SSO" option is selected and the correct GUID of the corresponding IDP group is present in the External ID field.

Cause

The user is currently not assigned to the appropriate group and roles due to a missing Group Claims configuration on the Azure AD side. This issue arises because the IDP (Identity Provider) is not sending the necessary group GUIDs.

Resolution

To add the missing Group Claims and resolve the issue, please perform the following steps:

1. Access the Azure AD portal and navigate to the application's configuration settings.
2. Locate the Attributes & Claims section, and click the Edit button.
3. Add the claims as shown in the following screenshot:
   
   
4. If the claims configuration is missing or incorrect, update it accordingly to include the necessary group information.
5. Save the changes and test the authentication process again to ensure that the user is now assigned to the correct group and roles.

Additional information

Managing user groups